In the last year and half, we’ve seen an unprecedented increase in ransomware attacks on Operational Technology (OT) networks. While this surge is generating a lot of press coverage, it was something that experts within our industry have been anticipating for a while. In fact, I presented on the topic of ransomware and destructive attacks at RSAC 2018, together with a host of security leaders from the public and private sector.
Evidence of nation-state actors targeting OT networks had been building. But in 2017, NotPetya showed the world that the accidental spill-over of ransomware into OT networks could have disastrous consequences. Operations came to a standstill at multinational corporations across a wide swath of sectors including healthcare, energy, and transportation, resulting in an estimated $10 billion in damages. It was only a matter of time for cybercriminals to realize that OT networks are critical to operations, and therefore extremely valuable.
Revenue is generated and customers’ lives are improved when OT networks are up and running. If ransomware attacks specifically targeted industrial environments, the outcome could be loss of availability of those systems, thus impacting the core business of the company. Even a partial loss of view for human operators into network activity would necessitate a shutdown of the process due to product quality or safety concerns. Ultimately, any risk of disruption to physical processes can lead to loss in productivity and revenue and, in some cases, could lead to loss of life as well.
Government alerts enumerate some common tactics and techniques adversaries use to infiltrate organizations, including spearphishing to obtain access to IT network and then pivoting to the OT network, or directly connecting to internet-accessible controllers that require no user or device authentication. From there, the door is open to deploy ransomware to encrypt data. In many cases, the adversary can traverse the OT network without being noticed for months or even years due to the limited number of security controls on those networks.
Most recently, U.S. government agencies acknowledged that BlackMatter is a possible rebrand of DarkSide, the group that attacked Colonial Pipeline and has since targeted multiple U.S. critical infrastructure entities, including two in the food and agriculture sector. Whether a rebrand, or an offshoot as some security experts argue, the group demonstrates the resolve of nation-state actors to continue to disrupt consumer access to critical infrastructure services and thus the economy and daily life for millions of people.
What can defenders do in this new reality to strengthen the security posture of their OT environments? Here are five recommendations every CISO should consider:
1. Extend the scope of your risk governance to include anything that is a cyber-physical asset. This includes all Industrial IoT, industrial control system (ICS), and Enterprise IoT components. Of course, this is a challenging step for many organizations since it’s not an easy task to even identify those assets. It’s a process that might take iterations. Thankfully, in the last few years our industry has made tremendous progress in technology that helps us easily discover such assets and profile their exposure, risk, and vulnerabilities.
2. Make sure that you have proper segmentation between IT and OT networks. There are many business processes and applications that need to communicate across the IT/OT boundary, so we need to ensure this is done in a secure way. This simple step usually gets taken for granted, but it shouldn’t. In addition to the IT/OT segmentation, deploy virtual segmentation to zones within the OT environment – this will help detect lateral movement within the OT networks. And if remote operations need access directly into the OT networks, make sure this is done through a secure remote access connection with strict controls over users, devices, and sessions.
3. Practice good cyber hygiene. Ensure that your hygiene extends to OT and IoT devices. This includes the use of strong passwords (and not sharing passwords amongst different users, a practice that is common in industrial operations), a password vault, and multi-factor authentication. Some processes, like patching legacy systems, might be more challenging or not possible. If that is the case, identify and implement compensating controls such as firewall rules and access control lists. The Cybersecurity and Infrastructure Security Agency (CISA), has a number of no-cost hygiene tools, including scanning and testing to help reduce exposure to threats.
4. Implement a robust system monitoring program. This means monitoring for threats in both IT and OT networks and anything that is traversing that boundary. Agentless solutions that are purpose-built for continuous threat monitoring across the OT network, can be implemented quickly, integrate equally well with OT and IT systems and workflows, and allow IT and OT teams to look at OT environments together. Working from the same set of information these teams take specific steps to manage and mitigate risk from both known and unknown, emerging threats.
5. Run exercises on your incident response plan. Running tabletop exercises of ransomware attacks can help you understand your organizational and technical preparedness. This affords you an opportunity to create an improved incident response plan and will build confidence in your preparedness and resilience to such attacks.
Ransomware attacks are disrupting pipelines, processing plants, and food distribution. And although none of these attacks appear to have impacted the OT environment directly – it is only a matter of time. Thankfully we have the knowledge and tools to change this trajectory. By taking a few simple, foundational steps you can reduce the risk of ransomware to your industrial environments.